diff options
| author | Eric Biggers <ebiggers@kernel.org> | 2026-04-19 23:33:53 -0700 |
|---|---|---|
| committer | Herbert Xu <herbert@gondor.apana.org.au> | 2026-05-07 16:09:59 +0800 |
| commit | f4919bbca03c8d130a46eba99535b5730edd89a6 (patch) | |
| tree | 4e562449e412a2100952a47f323e951ddd0d26f2 | |
| parent | 06dc3f01e789cdad4d99b99eba35acb26d227f53 (diff) | |
| download | linux-next-history-f4919bbca03c8d130a46eba99535b5730edd89a6.tar.gz | |
crypto: drbg - Remove obsolete FIPS 140-2 continuous test
FIPS 140-2 required that a continuous test for repeated outputs be done
on both "Approved RNGs" and "Non-Approved RNGs".
That's apparently why crypto/drbg.c does such a test on the bytes it
pulls from get_random_bytes(), despite get_random_bytes() being a
"Non-Approved RNG" that is credited with zero entropy for FIPS purposes.
(From FIPS's point of view, the "Approved RNG" is jitterentropy.)
FIPS 140-3 "modernized" the continuous RNG test requirements. They're
now a bit more sophisticated, requiring both an "Adaptive Proportion
Test" and a "Repetition Count Test".
At the same time, FIPS 140-3 doesn't require continuous RNG tests on
"Non-Approved RNGs" if a "vetted conditioning component" is used. The
SP800-90A DRBGs are exactly such a vetted conditioning component, by
their design. (In the case of HASH_DRBG and CTR_DRBG, the derivation
function does have to be implemented. But the kernel does that.)
In other words: from FIPS 140-3's point of view, get_random_bytes()
still produces zero entropy, but the way the DRBG combines those bytes
with the jitterentropy bytes preserves all the "approved" entropy from
jitterentropy. Thus no test for get_random_bytes() is required.
Seeing as FIPS 140-2 certificates stopped being issued in 2021 in favor
of FIPS 140-3, this means this code is obsolete. Remove it.
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| -rw-r--r-- | crypto/drbg.c | 78 | ||||
| -rw-r--r-- | include/crypto/drbg.h | 2 |
2 files changed, 2 insertions, 78 deletions
diff --git a/crypto/drbg.c b/crypto/drbg.c index 83cb6c1bbac0a..66d7739469c67 100644 --- a/crypto/drbg.c +++ b/crypto/drbg.c @@ -205,55 +205,6 @@ static inline unsigned short drbg_sec_strength(drbg_flag_t flags) } } -/* - * FIPS 140-2 continuous self test for the noise source - * The test is performed on the noise source input data. Thus, the function - * implicitly knows the size of the buffer to be equal to the security - * strength. - * - * Note, this function disregards the nonce trailing the entropy data during - * initial seeding. - * - * drbg->drbg_mutex must have been taken. - * - * @drbg DRBG handle - * @entropy buffer of seed data to be checked - * - * return: - * %true on success - * %false when the CTRNG is not yet primed - */ -static bool drbg_fips_continuous_test(struct drbg_state *drbg, - const unsigned char *entropy) - __must_hold(&drbg->drbg_mutex) -{ - unsigned short entropylen = drbg_sec_strength(drbg->core->flags); - - if (!IS_ENABLED(CONFIG_CRYPTO_FIPS)) - return true; - - /* skip test if we test the overall system */ - if (list_empty(&drbg->test_data.list)) - return true; - /* only perform test in FIPS mode */ - if (!fips_enabled) - return true; - - if (!drbg->fips_primed) { - /* Priming of FIPS test */ - memcpy(drbg->prev, entropy, entropylen); - drbg->fips_primed = true; - /* priming: another round is needed */ - return false; - } - if (!memcmp(drbg->prev, entropy, entropylen)) - panic("DRBG continuous self test failed\n"); - memcpy(drbg->prev, entropy, entropylen); - - /* the test shall pass when the two values are not equal */ - return true; -} - /****************************************************************** * CTR DRBG callback functions ******************************************************************/ @@ -833,16 +784,6 @@ static inline int __drbg_seed(struct drbg_state *drbg, struct list_head *seed, return ret; } -static inline void drbg_get_random_bytes(struct drbg_state *drbg, - unsigned char *entropy, - unsigned int entropylen) - __must_hold(&drbg->drbg_mutex) -{ - do - get_random_bytes(entropy, entropylen); - while (!drbg_fips_continuous_test(drbg, entropy)); -} - static int drbg_seed_from_random(struct drbg_state *drbg) __must_hold(&drbg->drbg_mutex) { @@ -858,7 +799,7 @@ static int drbg_seed_from_random(struct drbg_state *drbg) drbg_string_fill(&data, entropy, entropylen); list_add_tail(&data.list, &seedlist); - drbg_get_random_bytes(drbg, entropy, entropylen); + get_random_bytes(entropy, entropylen); ret = __drbg_seed(drbg, &seedlist, true, DRBG_SEED_STATE_FULL); @@ -937,7 +878,7 @@ static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers, if (!rng_is_initialized()) new_seed_state = DRBG_SEED_STATE_PARTIAL; - drbg_get_random_bytes(drbg, entropy, entropylen); + get_random_bytes(entropy, entropylen); if (!drbg->jent) { drbg_string_fill(&data1, entropy, entropylen); @@ -1018,11 +959,6 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg) drbg->reseed_ctr = 0; drbg->d_ops = NULL; drbg->core = NULL; - if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) { - kfree_sensitive(drbg->prev); - drbg->prev = NULL; - drbg->fips_primed = false; - } } /* @@ -1088,16 +1024,6 @@ static inline int drbg_alloc_state(struct drbg_state *drbg) drbg->scratchpad = PTR_ALIGN(drbg->scratchpadbuf, ret + 1); } - if (IS_ENABLED(CONFIG_CRYPTO_FIPS)) { - drbg->prev = kzalloc(drbg_sec_strength(drbg->core->flags), - GFP_KERNEL); - if (!drbg->prev) { - ret = -ENOMEM; - goto fini; - } - drbg->fips_primed = false; - } - return 0; fini: diff --git a/include/crypto/drbg.h b/include/crypto/drbg.h index 486aa793688e6..4fafc69a8ee65 100644 --- a/include/crypto/drbg.h +++ b/include/crypto/drbg.h @@ -109,8 +109,6 @@ struct drbg_state { enum drbg_seed_state seeded; /* DRBG fully seeded? */ unsigned long last_seed_time; bool pr; /* Prediction resistance enabled? */ - bool fips_primed; /* Continuous test primed? */ - unsigned char *prev; /* FIPS 140-2 continuous test value */ struct crypto_rng *jent; const struct drbg_state_ops *d_ops; const struct drbg_core *core; |